CN107566401A - The means of defence and device of virtualized environment - Google Patents

Abstract

The invention discloses a method and device for protecting a virtualized environment. The method includes: when monitoring an access request message for accessing environmental feature information of the virtualized environment, intercepting the access request message; The access result data corresponding to the access request message, and determine the data type of the access result data; query the protection policy that matches the data type of the access result data, and process the access request message according to the query protection policy Carry out protective treatment. It can be seen that the present invention can monitor the access request message used to access the environment feature information of the virtualized environment, and perform corresponding protection processing for the access request message, so as to prevent the virtualized environment from being recognized by people, and improve the virtualized environment. protective effect.

Description

Protection method and device for virtualized environment

technical field

The invention relates to the technical field of network communication, in particular to a protection method and device for a virtualized environment.

Background technique

With the continuous development of communication technology, the Internet has been integrated into every aspect of life. However, as a derivative of the development of the Internet, hacking technology has also become pervasive, threatening network security increasingly seriously. Take the wireless network as an example, although the wireless network has won more and more users because of its advantages of easy access. However, incidents of hacking attacks by invading wireless networks are also increasing. For this reason, various defensive means have emerged to deal with hacker intrusions. For example, the behavior of hackers can be detected and analyzed through a virtualized environment, so that targeted defense measures can be taken.

However, in the process of implementing the present invention, the inventor found that the existing virtualization environment has at least the following problems: experienced hackers usually write codes to access the relevant feature information of the virtualization environment, so as to detect the current location according to the access results. Whether the environment is a virtualized environment, once a virtualized environment is detected, it will escape immediately, thereby avoiding the detection and analysis of the system. However, the existing virtualization environment cannot prevent the detection of hackers, and the protection function is poor.

Contents of the invention

In view of the above problems, the present invention is proposed to provide a protection method and device for a virtualized environment that overcomes the above problems or at least partially solves the above problems.

According to one aspect of the present invention, a protection method for a virtualized environment is provided, including:

intercepting the access request message when monitoring the access request message for accessing the environment characteristic information of the virtualization environment;

determining the access result data corresponding to the access request message, and determining the data type of the access result data;

Query the protection policy that matches the data type of the access result data, and perform protection processing on the access request message according to the queried protection policy.

According to another aspect of the present invention, a protection device for a virtualized environment is provided, including:

An intercepting module, adapted to intercept the access request message when monitoring the access request message for accessing the environment characteristic information of the virtualized environment;

A determining module, adapted to determine access result data corresponding to the access request message, and determine a data type of the access result data;

The protection module is adapted to query a protection policy matching the data type of the access result data, and perform protection processing on the access request message according to the queried protection policy.

According to another aspect of the present invention, an electronic device is provided, including: a processor, a memory, a communication interface, and a communication bus, and the processor, the memory, and the communication interface complete mutual communication through the communication bus communication;

The memory is used to store at least one executable instruction, and the executable instruction causes the processor to execute the operation corresponding to the above-mentioned protection method for the virtualized environment.

According to still another aspect of the present invention, a computer storage medium is provided, wherein at least one executable instruction is stored in the storage medium, and the executable instruction causes a processor to perform operations corresponding to the above-mentioned virtualization environment protection method.

In the protection method and device of the virtualized environment provided by the present invention, when an access request message for accessing the environment feature information of the virtualized environment is monitored, the access request message is intercepted; the access request message corresponding to the access request message is determined; result data, and determine the data type of the access result data; then, query the protection strategy matching the data type of the access result data, and perform protection processing on the access request message according to the queried protection strategy. It can be seen that the present invention can monitor the access request message used to access the environment feature information of the virtualized environment, and perform corresponding protection processing for the access request message, so as to prevent the virtualized environment from being recognized by people, and improve the virtualized environment. protective effect.

The above description is only an overview of the technical solution of the present invention. In order to better understand the technical means of the present invention, it can be implemented according to the contents of the description, and in order to make the above and other purposes, features and advantages of the present invention more obvious and understandable , the specific embodiments of the present invention are enumerated below.

Description of drawings

Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiment. The drawings are only for the purpose of illustrating a preferred embodiment and are not to be considered as limiting the invention. Also throughout the drawings, the same reference numerals are used to designate the same parts. In the attached picture:

FIG. 1 shows a flowchart of a method for protecting a virtualized environment provided by an embodiment of the present invention;

Fig. 2 shows a structural diagram of a wireless network intrusion detection system;

FIG. 3 shows a schematic structural diagram of a multi-layer ring in a wireless network intrusion detection system;

FIG. 4 shows a structural diagram of a protection device for a virtualized environment provided by an embodiment of the present invention;

Fig. 5 shows a schematic structural diagram of an electronic device according to an embodiment of the present invention.

detailed description

Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited by the embodiments set forth herein. Rather, these embodiments are provided for more thorough understanding of the present disclosure and to fully convey the scope of the present disclosure to those skilled in the art.

Fig. 1 shows a flow chart of a protection method for a virtualized environment provided by an embodiment of the present invention. Wherein, the virtualization environment in this embodiment includes: a virtualization environment constructed by a virtual machine, and/or a virtualized environment constructed by a sandbox. As shown in Figure 1, the method includes the following steps:

Step S100: Predetermine the application program interface corresponding to the access request message for accessing the environment feature information of the virtualized environment, and set a hook function for the application program interface.

Wherein, the environment characteristic information refers to: network information and/or software and hardware information related to the operating environment. Correspondingly, it can be determined whether the current operating environment is a real environment or a virtualized environment based on the environment feature information. For example, the environment feature information includes at least one of the following: physical network card information, registry information, and driver information. An attacker such as a hacker can realize the purpose of detecting the virtualized environment through an access request message for accessing the environment feature information of the virtualized environment. For this reason, the purpose of the embodiments of the present invention is to: predetermine the access request message and the corresponding application program interface used by the attacker to access the environment feature information of the virtualized environment, and set the hook function at the corresponding application program interface, In order to realize the monitoring of this kind of access request message. Wherein, the hook function is used to monitor the access request message triggered through the application program interface.

Specifically, since the access request message includes multiple types, how to judge whether an access request message belongs to the access request message for accessing the environment feature information of the virtualized environment is one of the technical problems to be solved in the present invention. In order to solve this problem, in this embodiment, the access behavior issued by the electronic device intruding into the virtualization environment for the virtualization environment is monitored in advance, and the environmental characteristics for accessing the virtualization environment are determined according to the access result corresponding to the access behavior Access request message for information.

For example, if it is found through monitoring, the attacker usually uses access request message 1 and access request message 1' to obtain physical network card information, uses access request message 2 to obtain registry information, and uses access request message 3 and access request message 3' To obtain the driver information, correspondingly, the access request message 1, the access request message 1', the access request message 2, the access request message 3 and the access request message 3' are all determined as the access for accessing the environment characteristic information of the virtualization environment request message. Then, further determine the application program interface (API) corresponding to each of the above-mentioned access request messages. The monitoring purpose can be achieved by setting the hook function here.

Wherein, step S100 is an optional step, and in other embodiments of the present invention, step S100 may also be omitted, or the purpose of step S100 may be achieved in other alternative ways.

Step S110: When an access request message for accessing the environment feature information of the virtualized environment is detected, intercept the access request message.

Wherein, the access request message is intercepted by a hook function (that is, the HOOK mechanism), so as to process the access request message according to the preset processing logic in the hook function.

Step S120: Determine the access result data corresponding to the access request message, and determine the data type of the access result data.

Wherein, the data type of the access result data may be determined according to various factors. In this embodiment, it is mainly determined according to the protection policy. Specifically, it is necessary to obtain all data contents of the access result data in advance, and then set a corresponding protection policy for each item of data content, and classify data contents with the same protection strategy into the same data type.

For example, the data types of the access result data include: the first type of data and/or the second type of data. Wherein, the first type of data type includes: a type corresponding to data existing in both the virtualized environment and the non-virtualized environment. For example, whether it is a virtualized environment or a non-virtualized environment, network card information and registry information are required. Therefore, the access result data corresponding to this type of information is used as the first type of data type. The second type of data type includes: types corresponding to data available in the virtualized environment and not available in the non-virtualized environment. For example, the type corresponding to the unique data in the virtualization environment is used as the second type of data type.

Step S130: Query the protection policy that matches the data type of the access result data, and perform protection processing on the access request message according to the queried protection policy.

Among them, in this embodiment, the protection strategy matching the first type of data includes: setting corresponding fake result data for the access result data of the first type of data in advance, when the access to the first type of data is intercepted When an access request message is sent by the result data, dummy result data corresponding to the access result data of the first data type is returned for the access request message. Since this type of data exists in all environments, the access result must be returned to the electronic device, otherwise the user of the electronic device will be suspicious. Therefore, this embodiment adopts the method of returning false result data. In fact, it is also possible to pre-judge whether the real content of the access result data will reveal the characteristics of the virtualized environment, and if so, return the fake result data; if not, directly return the real access result data.

The protection strategy matching the second type of data includes: when an access request message sent for the access result data of the second type of data is intercepted, return an empty message for the access request message. Since this type of data exists only in the virtualization environment, once the corresponding data is returned to the electronic device, the electronic device will be able to see through the virtualization environment. Therefore, no response result is returned to the access request message corresponding to the second type of data, so that the electronic device cannot obtain the data used to identify the characteristics of the virtualized environment.

It can be seen that the present invention can monitor the access request message used to access the environment feature information of the virtualized environment, and perform corresponding protection processing for the access request message, so as to prevent the virtualized environment from being recognized by people, and improve the virtualized environment. protective effect.

In order to facilitate the understanding of the present invention, FIG. 2 shows a schematic structural diagram of a specific wireless network intrusion detection system provided by the present invention. Correspondingly, the method for protecting a virtualized environment in the present invention can be implemented based on the system. As shown in FIG. 2 , the system includes: a wireless access module 21 , a network transmission module 22 , a first intrusion detection module 23 , and a second intrusion detection module 24 . Wherein, the number of the second intrusion detection module 24 shown in FIG. 2 is multiple, and in actual situations, the number of the second intrusion detection module 24 may be only one. Moreover, in other embodiments of the present invention, the number of first intrusion detection modules 23 may also be multiple.

In this embodiment, the wireless network intrusion detection system is mainly used to lure the attacker to access, monitor and record the attacker's device information and attack behavior, correspondingly, it can implement targeted defense measures, and can also be used when necessary Implement alarms, and trace the source of attackers, etc. Therefore, the wireless network intrusion detection system in this embodiment can also be understood as a honeypot system implemented by honeypot technology, and the honeypot system can realize various functions. The specific structure and working principle of each module in the system are introduced respectively as follows:

1. Wireless access module

The outermost layer of the system is the wireless access module 21 . The wireless access module 21 is adapted to monitor whether there is an electronic device that invades the wireless network through a preset network vulnerability; when the monitoring result is yes, obtain the device identification of the electronic device and the device access information corresponding to the device identification; Optionally, the access information of the device may also be analyzed, and the electronic device may be located according to the analysis result. It can be seen that the wireless access module 21 mainly has two functions: on the one hand, it actively sets up network vulnerabilities to lure attackers to access; on the other hand, once an electronic device connected to the wireless network is found, it records the electronic device device identification and device access information.

Firstly, a specific implementation method of setting a network loophole is introduced: specifically, the wireless access module 21 sets a network loophole in a preset wireless access device for external electronic devices to access the wireless network. Wherein, the wireless access device may be various types of access points capable of accessing a wireless network, such as a router. Specifically, when setting a network vulnerability, it can be realized in various ways such as opening a wireless network port, and/or weakening a wireless network password. Among them, network vulnerabilities can also be understood as traps, which are mainly used to trick attackers into accessing. The present invention does not limit the specific implementation manner of setting network loopholes.

Then, a specific implementation manner of recording the device identification and device access information of the electronic device is introduced. Wherein, the device identifier can be various information that can uniquely identify an electronic device, so that the related information of the electronic device can be tracked according to the device identifier in the subsequent process. The device access information refers to information related to the device that can be obtained during the process of the device accessing the wireless network. Correspondingly, the wireless access module 21 records device access information such as the device name, IP address, and MAC address connected to the wireless network, so as to locate the physical location of the attacker, so that the attacker is under surveillance as soon as he accesses the wireless network. Optionally, in order to force the attacker to disclose more information, in this embodiment, when the wireless access module 21 obtains the device ID of the electronic device and the device access information corresponding to the device ID, it may further Pushing the preset webpage to the electronic device, obtaining the access result generated by the electronic device for the preset webpage, and determining the device access information of the electronic device according to the access result. Wherein, the preset web page includes: a social web page logged in through a social account or other pages that need to be logged in through personal information. Information, such as Weibo account and password information, QQ account and password information, etc. In addition, in the process of electronic devices accessing webpages, other device access information can be further obtained, such as browser version, operating system version, device screen resolution, and browser plug-in information. information. The wireless access module 21 associates and stores the device access information of the electronic device with the device identifier of the electronic device in a preset device access table for subsequent query.

It can be seen that the wireless access module is mainly used to lure attackers to access and obtain corresponding device access information, so as to realize functions such as positioning or early warning.

2. Network transmission module

The second outer layer of the system is the network transmission module 22 . The network transmission module 22 is adapted to acquire network traffic information generated after the electronic device accesses the wireless network, and provide the acquired network traffic information to the first intrusion detection module 23 for subsequent analysis. In addition, the network transmission module 22 is also adapted to determine whether the network traffic information generated after the electronic device accesses the wireless network includes network traffic triggered by access behaviors that meet preset warning rules, and if so, generate an intrusion warning signal. During specific implementation, the network transmission module 22 obtains the network traffic information generated by the electronic device invading the wireless network; analyzes the network traffic information, and determines the network access behavior of the electronic device according to the analysis result; judges whether the network access behavior of the electronic device complies with A preset early warning rule, if yes, generates an intrusion early warning signal for early warning.

Among them, the network transmission module mainly obtains network traffic information after the electronic device is connected to the wireless network through network capture and other methods. In addition, the inventor found in the process of implementing the present invention that: the traditional network packet capture method can only obtain the traffic of electronic devices accessing external websites through wireless networks, but cannot obtain the traffic between electronic devices and various devices inside the wireless network. flow. For example, in this embodiment, since the wireless network includes multiple preset devices such as the first intrusion detection module and multiple second intrusion detection modules, in order to more accurately obtain the information generated by the electronic device for each intrusion detection module Network traffic information. In this embodiment, each first intrusion detection module and second intrusion detection module are connected to the wireless network in a bridging manner. Correspondingly, the network transmission module respectively acquires Each preset device (namely: the first intrusion detection module and the second intrusion detection module) generates the point-to-point network flow information, and provides the point-to-point network flow information to the corresponding preset device. For example, with respect to the acquired network flow information of the electronic device accessing the first intrusion detection module, the part of the network flow information is provided to the first intrusion detection module for subsequent analysis and processing. It can be seen that the present invention can accurately obtain the point-to-point flow information between the electronic device and each intrusion detection module through the bridging method, so as to facilitate the determination of the network behavior performed by the electronic device for each intrusion detection module.

By analyzing the network traffic information obtained above, the network access behavior of the electronic device (for example, the number of opened web pages and the address of the web page, etc.) can be known. Optionally, in this embodiment, the network transmission module can also determine whether to trigger an early warning signal for the network access behavior of the electronic device according to a preset early warning rule, so as to realize the early warning function. The warning rules include warning rules of multiple network security levels. Correspondingly, the network transmission module first determines the current network security level, and then selects an early warning rule that matches the current network security level. For example, the network security level can be divided into three security levels: a high security level, a medium security level, and a low security level, and accordingly, corresponding warning rules are set for each security level. System operators can set network security levels according to current business needs. Correspondingly, the early warning rule may include at least one of the following three rules:

The first warning rule is: a rule for giving a warning when a scanning behavior is detected through a preset scanning tool. Among them, the network transmission module can pre-acquire the scanning tools commonly used by hackers, and store the obtained scanning tools in the hacking tool list. Forewarning. Wherein, the scanning tools stored in the hacking tool list may include: NMAP, SQLMAP, WVS, and the like. The second warning rule is: a rule for giving a warning when a tentative connection to a preset device in the wireless network is detected. This rule can be applied to high-security network settings. Through this rule, as long as an attempt to connect to a preset device such as an intrusion detection module is found, an early warning will be given. The third warning rule is: a rule for giving a warning when a successful connection to a preset device in the wireless network is detected. This rule can be applied to network settings with medium security level or low security level. Through this rule, an alert will be issued only when a successful connection is found. For example, when an access request triggered by an intrusion detection module is detected, an alert is triggered.

It can be seen that the network transport layer can monitor the network traffic information in the whole network, and give early warning according to the monitoring results, so as to improve the security of the system. Wherein, the early warning rule can be flexibly set by those skilled in the art, which is not limited in the present invention.

Optionally, in order to obtain more information about the electronic device, in this embodiment, the network transmission module can further implement the following operations: intercept the website access request sent by the electronic device according to the network traffic information generated by the electronic device, and intercept the Inserting a preset access script for accessing a preset website into the received website access request; receiving access result data corresponding to the preset website, and determining device attribute information of the electronic device according to the access result data. Correspondingly, the network transmission module can also further locate the electronic device according to the device attribute information. During specific implementation, firstly, the type of website access requests to be intercepted is set in advance, for example, it may be set to intercept access requests for search websites such as Baidu. Then, a preset access script for accessing a preset website is inserted into the intercepted website access request. Wherein, the preset access script can be generated and maintained by the first intrusion detection module, and the network transmission module only needs to call the script. The preset access script can be realized by JS script or URL address, and is used to access social networking sites such as Renren.com and Weibo. Finally, receive the access result data corresponding to the preset website, determine the device attribute information of the electronic device according to the access result data, wherein the operation of determining the device attribute information can be realized by the first intrusion detection module, and correspondingly, the network transmission module will The received access result data fed back by the preset website is sent to the first intrusion detection module for the first intrusion detection module to determine the device attribute information of the electronic device in combination with the access result data. It can be seen that the network transmission module mainly realizes the following functions in the above process: on the one hand, instead of the user, it sends an access request for the preset website to the server of the preset website; on the other hand, it replaces the user to receive the access result returned by the server. Therefore, the network transmission module can visit the preset website and obtain the access result without the user of the electronic device invading the wireless network knowing, and then obtain the relevant information of the electronic device. Among them, the main difference between the device attribute information and the device access information lies in that the timing and subjects of obtaining the two are different. Specifically, the device access information is obtained by the wireless access module during the access phase, and the device attribute information is obtained by the first intrusion detection module when the electronic device infiltrates into the wireless network and accesses the first intrusion detection module. Reflect the attribute information of the device. In actual situations, the contents of the device access information and the device attribute information may overlap.

3. The first intrusion detection module

The first intrusion detection module is located between the network transmission layer and the second intrusion detection module, and is used for analyzing the network flow information provided by the network transmission module, and determining the device attribute information of the electronic device according to the analysis result. During specific implementation, the first intrusion detection module can be realized in various ways, for example, it can be realized through a virtual machine or a sandbox by using honeypot technology. Honeypot technology is essentially a technology to deceive attackers. By arranging some hosts, network services or information as bait, it can entice attackers to attack them, so that the attack behavior can be captured and analyzed, and the attack behavior can be understood. The tools and methods used by attackers, speculating on attack intentions and motivations can enable defenders to clearly understand the security threats they face, and enhance the security protection capabilities of actual systems through technical and management means. In this embodiment, the first intrusion detection module is a web-type honeypot (ie: a service-type honeypot), and the interactivity of the first intrusion detection module is lower than that of the second intrusion detection module. Therefore, the first intrusion detection module can also be The intrusion detection module is called a Web-type low-interaction intrusion detection module. Hereinafter, for convenience of description, the first intrusion detection module is called a Web-type low-interaction honeypot.

The web-type low-interaction honeypot can obtain the network traffic information generated by the electronic device invading the wireless network; analyze the network traffic information, and determine the device identification of the electronic device and the device attribute information corresponding to the device identification according to the analysis results . Optionally, the web-type low-interaction honeypot can also detect the location information of the electronic device according to the device attribute information, so as to locate or trace the electronic device. It can be seen that the web-type low-interaction honeypot is mainly used to further collect attacker information. Specifically, the device attribute information that can be collected includes, but is not limited to: browser version, operating system version, device screen resolution, browser plug-in information, social account information, device fingerprints, plug-in information, time zone information, GPU information, and Device language information, etc.

In addition, in order to facilitate the collection of more information, the web-type low-interaction honeypot is further used to: pre-generate a preset access script for accessing a preset website; wherein, the preset access script is used to insert the intercepted electronic device sent Website access request in progress. Correspondingly, when the web-type low-interaction honeypot determines the device ID of the electronic device and the device attribute information corresponding to the device ID based on the analysis results, it combines the obtained access result data corresponding to the preset website to determine the device ID of the electronic device. Device attribute information. Wherein, the preset website includes: a social networking website logged in through a social account, and the like, and the preset access script can be implemented through a JS script or a URL address, and is used to access preset websites such as Renren.com and Weibo. Correspondingly, the device attribute information of the electronic device includes: social account information determined according to the visit result generated for the social networking site. That is to say, the web-type low-interaction honeypot is responsible for maintaining preset access scripts for calling by the network transmission module; and, the web-type low-interaction honeypot is further used to analyze the network traffic information and access result data obtained by the network transmission module etc., so as to determine the device attribute information of the electronic device. It can be seen that through the cooperation of the web-type low-interaction honeypot and the network transmission module, the user of the electronic device can automatically visit the default website and obtain relevant information without the user noticing, so as to locate and provide information for subsequent attackers. Operations such as traceability provide more valuable information.

4. The second intrusion detection module

The second intrusion detection module is located at the innermost layer of the entire system, and is used to obtain behavior characteristic information of electronic equipment, and generate an intrusion alarm signal when it is determined that the behavior characteristic information conforms to preset alarm rules. During specific implementation, the second intrusion detection module can also be implemented through various implementation methods, for example, it can be implemented through a virtual machine or a sandbox by using honeypot technology. In this embodiment, the interactivity of the second intrusion detection module is higher than that of the first intrusion detection module, therefore, the second intrusion detection module can also be called a highly interactive intrusion detection module. In addition, the second intrusion detection module can be applied to both the Windows system and the Linux system. Correspondingly, the second intrusion detection module can be divided into two types, which are Windows-type high-interaction honeypots and Linux-type high-interaction honeypots. Interactive honeypot. In this embodiment, the Windows-type high-interaction honeypot is mainly used as an example for introduction.

Specifically, the behavior characteristic information of the electronic equipment obtained by the Windows-type high-interaction honeypot may include multiple types, and correspondingly, the preset alarm rules may also include multiple types of rules:

The first rule is: determine whether the behavior characteristic information matches the malicious command stored in the preset blacklist, and if so, generate an intrusion alarm signal (also called behavior intrusion alarm signal). Specifically, the Windows-type high-interaction honeypot monitors system activities and various behaviors of electronic equipment, and if it detects that the electronic equipment executes malicious commands stored in the preset blacklist, it will trigger an intrusion alarm signal. Wherein, the preset blacklist is used to store predetermined attack commands commonly used by hackers. Table 1, Table 2 and Table 3 show schematic diagrams of some malicious commands stored in the blacklist.

Table 1

order Order Execution times options 1 task list 119 /s/v 2 ver 92 3 ipconfig 58 /all 4 net time 30 5 systeminfo twenty four 6 netstat twenty two -ano 7 qprocess 15 8 query 14 user 9 whoami 14 /all 10 Net start 10 11 nslookup 4 12 fsutil 3 Fsinfo drives 13 time 2 /t 14 set 1

Table 2

table 3

order Order Execution times options 1 at 98 2 reg 29 Add export query 3 wmic twenty four 4 Netsh adv firewall 4 5 sc 4 Qc query 6 wusa 2

The second rule is: record the files operated by the electronic device into the preset operation file list, and record the files that have a preset association relationship with the files in the operation file list into the preset suspicious file list. Operate the files in the file list and the suspicious file list to determine whether to generate an intrusion alarm signal (also called a file intrusion alarm signal). For example, when a file in the suspicious file list is detected to be executed, a file intrusion alarm signal is generated. This rule can also be called taint tracking technology. The main idea is to continuously monitor and track all files related to electronic equipment, and call the police when suspicious situations are found.

For example, various operations such as creation, modification, and deletion of files can be monitored, and all these files can be recorded in the preset operation file list as files operated by the electronic device. It can be seen that the operation file list is used to record all files directly operated by the electronic device, and the operation types include multiple types. In addition, the files that have a preset association relationship with the files in the operation file list are further determined. Wherein, the files having the preset association relationship include but not limited to: the files having the binding relationship with the files in the operation file list. For example, if the electronic device further creates a bundled file A' of file A while creating file A, correspondingly, file A is recorded in the operation file list, and file A' is recorded in the suspicious file list. And, in the follow-up process, the operation file list and the suspicious file list are continuously monitored. Once the file in the list of suspicious files is detected to be executed, it will report to the police immediately. That is to say, the files in the operation file list are the files directly operated by the electronic equipment, while the files in the suspicious file list are the files that the electronic equipment has not operated or has not directly operated (maybe indirectly or implicitly). These two types of files are stored in different lists, so that different monitoring methods and alarm methods can be set for each file according to its characteristics. For example, the reason why electronic devices create bundled files is often to avoid monitoring operations on the list of operating files. Usually, bundled files do not appear in the desktop system, are not real files, and only exist in memory. Therefore, they have Stronger concealment, but once this type of file is executed, it will cause harm to the system. For this reason, in this embodiment, associated files such as bundled files and hidden files are stored separately in the suspicious file list, so as to facilitate stronger monitoring of these files and prevent them from performing malicious acts.

In addition, the Windows-type high-interaction honeypot can further monitor the creation of processes, and inject monitor.dll (a dynamic link library for monitoring processes) into suspicious processes to track process behavior. Moreover, a process blacklist can also be set, for example, all non-system-level processes are included in the process blacklist, and each process in the process blacklist is continuously monitored, and an alarm is triggered once a dangerous process creation operation is found. In addition, Windows-type high-interaction honeypots can also monitor registry operations to find dangerous behaviors.

In addition, each Windows-type high-interactivity honeypot can also process logs and alarm information, and can also realize communication with the first intrusion detection module or other Windows-type high-interactivity honeypots, so as to realize the overall system linkage processing. To this end, the wireless access module is further adapted to: associate and store the device access information of the electronic device with the device identifier of the electronic device; and the first intrusion detection module is further adapted to: associate the device attribute information of the electronic device with the device identifier of the electronic device Identifier associated storage; then the second intrusion detection module is further adapted to: when it is determined that the behavior feature information conforms to the preset alarm behavior rules, acquire and analyze the device access information and device attribute information stored in association with the device identifier of the electronic device . That is to say, in this system, the relevant information (including device access information, device attribute information, and behavior characteristic information, etc.) obtained by each module for the electronic device is stored in association with the device identifier of the electronic device. Correspondingly, Each module can obtain all information stored in association with the device identifier through the device identifier. That is, each module can obtain not only the information determined by itself, but also the information determined by other modules, so as to realize information sharing. Correspondingly, the first intrusion detection module and/or the second intrusion detection module may be further adapted to: determine the user identifier corresponding to the electronic device according to the device access information, device attribute information and/or behavior characteristic information of the electronic device; User characteristic information for traceability based on user identification and user characteristic information.

It can be seen that the first intrusion detection module and/or the second intrusion detection module are mainly used to leave a breakthrough for the attacker, so that the attacker has the opportunity to log in to the system; Alarm and capture samples corresponding to malicious behaviors for analysis using sandbox technology.

In addition, the system essentially uses multi-layer rings to realize comprehensive monitoring of intrusion devices, and FIG. 3 shows a schematic structural diagram of the multi-layer rings in the system. As shown in Figure 3, the system is divided into three layers of rings from the outside to the inside. The outermost ring 3 is mainly composed of wireless access modules, and the middle ring 2 is mainly composed of the first intrusion detection module. The inner ring 1 is mainly composed of the second intrusion detection module. The network transmission module is between ring 3 and ring 2. It can be seen that the system uses the design method of multi-layer rings to lure attackers to infiltrate ring by ring and leak more information; moreover, the information collected in each ring can be linked and queried.

In addition, both the first intrusion detection module and the second intrusion detection module in ring 2 and ring 3 are virtual machines installed with a real operating system, so as to collect information better. Moreover, in order to prevent intruding electronic devices from seeing through the honeypot mechanism, the fingerprint feature information of the virtual machine is managed through a preset program plug-in running at the system layer; wherein, the fingerprint feature information includes: network card information, registry information and/or key values information etc. Wherein, the fingerprint characteristic information belongs to a kind of environment characteristic information. Moreover, the program plug-in runs at the system layer, and its running authority is greater than that of other processes in the electronic device, so it can effectively prevent other processes from accessing the fingerprint feature information of the virtual machine.

During specific implementation, in order to protect the virtualization environment inside the first intrusion detection module and the second intrusion detection module, so as to prevent electronic devices from being seen through, the first intrusion detection module and/or the second intrusion detection module can further perform the following operations : When monitoring an access request message for accessing the environment feature information of the virtualized environment, intercept the access request message; determine the access result data corresponding to the access request message, and determine the data type of the access result data; query and The data type of the access result data matches the protection strategy, and the access request message is protected and processed according to the queried protection strategy.

Specifically, it is necessary to predetermine the application program interface (API) corresponding to the access request message for accessing the environment feature information of the virtualized environment, and set hook functions for these APIs; wherein, the hook function is used to monitor Triggered access request message. Wherein, the environment characteristic information of the virtualization environment includes all characteristics related to the system environment, for example, includes the above-mentioned fingerprint characteristic information of the virtual machine. When determining the application program interface corresponding to the access request message used to access the environment feature information of the virtualized environment, the access behavior sent by the electronic device invading the virtualized environment for the virtualized environment can be monitored, and the An access request message describing the environment characteristic information of the virtualization environment. For example, since electronic devices invading a virtualized environment often consciously obtain environmental characteristic information of the virtualized environment in order to determine whether the current system environment is a virtualized environment realized through honeypot technology, once the electronic device discovers the current system The environment is a virtualized environment implemented by honeypot technology, and it will leave the current environment. Therefore, by monitoring the access behavior of the electronic device, it is possible to determine the APIs corresponding to the access request messages that the electronic device often uses to obtain the environment feature information of the virtualized environment, and monitor these APIs. For example, in this embodiment, by monitoring the access behavior of the electronic device, it is generally found that the electronic device detects the virtual machine through the following methods: detecting specific CPU instructions in the execution environment, detecting specific registry information in the execution environment and Configuration information, detection of specific processes and services in the execution environment, detection of file systems and specific hardware information (MAC address, hard disk) in the execution environment, detection of memory characteristics in the execution environment, detection of configuration of the execution environment (hard disk size, memory size) , number of CPU cores, etc.). In addition, since the intrusion detection module in this embodiment can also be implemented through a sandbox, it is found by monitoring the access behavior of the electronic device that the electronic device detects the sandbox generally through the following methods: Detect whether there is a specific User activities (such as mouse movement, access to a certain website, etc.), Sleep for a period of time before execution, loop delay execution, detection hook Hook (including: user Hook, kernel Hook, etc.), detection network connectivity, detection user name, only in Specific date execution, detection time acceleration, end analysis tool execution, detection of browser records, running programs, installed programs, etc. Moreover, electronic devices usually use a combination of various means to implement the detection operations of virtual machines and sandboxes. Therefore, this embodiment determines the access request message corresponding to the above operations and its corresponding Correspondingly, a hook function is set at the API so as to intercept and process the access request message sent through the API.

For the intercepted access request message, determine the access result data corresponding to the access request message, and determine the data type of the access result data; query the protection strategy that matches the data type of the access result data, and according to the queried protection strategy Protective processing is performed on the access request message. In this embodiment, the access result data corresponding to the access request message is divided into the first data type and the second data type in advance.

Wherein, the first type of data type includes: a type corresponding to data existing in both the virtualized environment and the non-virtualized environment. For example, whether it is a virtualized environment or a non-virtualized environment, network card information and registry information are required. Therefore, the access result data corresponding to this type of information is used as the first type of data type. Since this type of data exists in all environments, an access result must be returned to the electronic device, otherwise it will arouse suspicion of the user of the electronic device. In this regard, the protection strategy set in this embodiment that matches the first type of data type includes: pre-setting corresponding fake result data for the access result data of the first type of data type, when the access to the first type of data type is intercepted When an access request message is sent by the result data, dummy result data corresponding to the access result data of the first data type is returned for the access request message. That is to say, for the access result data of the first data type, it is determined in advance whether the value of the data will reveal the characteristics of the virtualization environment, and if so, the corresponding dummy result data is set for the data, and the corresponding fake result data is returned to the electronic device. Dummy result data. For example, for a physical network card, although both the virtualization environment and the non-virtualization environment have physical network cards, the characteristics of the network card in the two environments may be different. For this, for the access result data of the network card, set the corresponding As for the false result data (that is, the data consistent with the non-virtualized environment), once the electronic device requests the network card data, it will receive the corresponding false result data, so that the electronic device cannot see through the virtualized environment.

The second type of data type includes: types corresponding to data available in the virtualized environment and not available in the non-virtualized environment. Since this type of data exists only in the virtualization environment, once the corresponding data is returned to the electronic device, the electronic device will be able to see through the virtualization environment. To this end, the protection strategy set in this embodiment that matches the second type of data type includes: when an access request message sent for the access result data of the second type of data type is intercepted, return an empty message for the access request message . That is to say, no response result is returned to the access request message corresponding to the second type of data, so that the electronic device cannot obtain the data used to identify the characteristics of the virtualized environment. It can be seen that the virtualization environment in this embodiment includes: a virtualization environment constructed by a virtual machine, and/or a virtualized environment constructed by a sandbox. No matter what type of virtualization environment it is, it can be protected through the above two strategies.

In addition, in this embodiment, the protection of the virtualized environment can also be realized in the following ways: (1) using open source hardware virtualization software, source code compilation removes or modifies the specific fingerprint information of the virtual machine, so that the malware in the electronic device can detect Invalid; (2) Change the sandbox hardware configuration to make it more like a real machine (optionally return false configuration information through Hook); (3) Configure the system normally and install common software to increase confusion; (4) Simulate normal user operations (mouse click, network access) to prevent being seen through by electronic devices; (5) Appropriately increase the detection time; (6) Hook off some abnormal operations (restart, shutdown); (7) For Hook (8) Configure the virtual network environment through other methods that can evade detection.

It can be seen that the first intrusion detection module and the second intrusion detection module in this system can hide the virtualized environment, so as to prevent the honeypot environment from being recognized by the electronic equipment, thereby improving the usability of the system.

In addition, this system can also realize the hacker portrait function according to the information collected by each module, so as to realize the positioning of the attacker. Correspondingly, the system further performs the following operations: when an electronic device intruding into a wireless network is detected, record the device access information of the electronic device (that is, the function realized by the above-mentioned wireless access module); obtain the network information generated by the electronic device Flow information, determine the device attribute information of the electronic device and the user attribute information corresponding to the electronic device according to the network flow information; collect the device access information of the electronic device, the device attribute information of the electronic device, and the user attribute information corresponding to the electronic device Perform correlation analysis, and determine the attacking user information corresponding to the electronic device according to the analysis result; wherein, the attacking user information is used to locate the attacker and/or detect the location of the electronic device. The specific connotations and acquisition methods of the device access information and device attribute information have been described above, and will not be repeated here. The user attribute information corresponding to the electronic device mainly refers to the personal behavior information related to the attacker. This part of the information can be determined not only through the device attribute information, but also based on the behavior characteristic information mentioned above. In this embodiment, the user attribute information may include user identity information, such as: social account information, attack tool information, online address information of a remote control Trojan horse, and backdoor login password information. That is to say, in this embodiment, information related to user behavior in the above-mentioned device attribute information can be separated as user attribute information.

For ease of understanding, the following uses device fingerprint information as an example to list several common device attribute information, including: IP address, geographic location, network identity, device fingerprint, operating system, browser, etc. In addition, device attribute information can also be transmitted through WebRTC (Web Real-Time Communication, web real-time communication), UA (User Agent, user agent), drawing (Canvas), resolution (including: size, color 16/24) , plug-in, time zone, language (language), GPU (Graphics Processing Unit, graphics processor), AudioContext and other auxiliary determination. Specifically, the IP address of the internal and external network can be obtained by using the WebRTC protocol, even if there is a VPN (Virtual Private Network, virtual private network). The browser version and operating system version can be judged through UA. In addition, when drawing a Canvas picture, the same Canvas drawing code has the same and unique characteristics of the picture drawn in different machines and browsers. Based on this feature, the present invention only needs to extract the simplest CRC (Cyclic Redundancy Code, cycle Redundancy check) value can uniquely identify and track an electronic device and its corresponding user. By obtaining the resolution of the attacker's electronic device as an auxiliary condition, the uniqueness of the electronic device can be determined more accurately. Moreover, by obtaining the plug-in of the attacker's electronic device to determine the software installed by the attacker and as an auxiliary condition, the uniqueness of the electronic device can be determined more accurately. Moreover, by obtaining the time zone of the attacker's electronic device, the country or region to which the attacker belongs can be determined, and used as an auxiliary condition to determine the uniqueness of the electronic device. By obtaining the GPU model of the attacker's electronic device, it can be used as an auxiliary condition to determine the uniqueness of the electronic device. In addition, the language mentioned above (namely language) is not limited to the language used by the current browser, but includes all languages supported by the system, such as Simplified Chinese, Traditional Chinese, and English. The inventor found in the process of realizing the present invention that there is no ready-made call interface to obtain the language information of the system in the prior art. In order to solve this problem, the following method is adopted in this embodiment: the user of the electronic device is required to Write two characters in all the languages in , if the system supports the language, then it can be written normally; language assistance to determine the uniqueness of the electronic device and the identity information of the user of the electronic device. During specific implementation, the preset instructions issued by the electronic device can be intercepted through the hook function, and the languages supported by the system can be determined through the operating logic set in the hook function to implement writing in various languages. It can be seen that the device attribute information in this embodiment may include various contents, and part of the information may also be used to assist in determining user attribute information.

Several common user attribute information are introduced below:

First, user attribute information includes user identity information. For example, it includes the user account information obtained through the methods mentioned above. Among them, the user account information includes the account number and corresponding password information registered by the user on various websites. In addition to user account information, it may also include other types of information that can reflect the identity of the user.

Secondly, the user attribute information also includes user behavior information, which is mainly used to determine the attacker's attack tool and attack method. Specifically, capture the attack tool and attack method used by the attacker, and extract the features in the tool, such as: URL, IP, MD5 of the sample, the online address of the remote control Trojan, the login password of the back door, etc.; use the above features to determine two Whether the attacker is the same person, and it is also possible to determine the level of the attacker. For example, the same attacker downloads the same sample after each login, so the MD5 of the sample must also be the same. Moreover, for the same attacker, the online address of the remote control Trojan horse and the login password of the back door must be the same. Correspondingly, an attacker can be uniquely determined through the above information.

After obtaining the above-mentioned device access information, device attribute information, and user attribute information, perform correlation analysis on the above-mentioned information, and determine the attacking user information corresponding to the electronic device according to the analysis result. The so-called association analysis refers to performing analysis after associating the above-mentioned items of information together according to the device identification. Since the device access information, device attribute information, and user attribute information of the same user correspond to the same device identifier, the information of the same user can be associated with each other through the device identifier, and the result obtained after the association can be used as Attack user information.

Next, after determining the attacking user information corresponding to the electronic device according to the analysis results, the attacking user identification corresponding to the attacking user information is further set, and the attacking user information and the attacking user identification are associated and stored as a data record in the preset attack user list. Here, the difference between the attacking user ID and the device ID is that the device ID is mainly used to uniquely identify an electronic device. Therefore, the device ID is related to the hardware characteristics of the electronic device, for example, the graphics card, resolution, network card, etc. of an electronic device. Hardware features are invariant, therefore, device identification is mainly used to identify an electronic device itself. However, the attacking user ID is mainly used to uniquely determine an attacker. Usually, an attacker uses the same electronic device for each attack. Therefore, in general, the role of the device ID and the attacking user ID can be replace each other. However, it does not rule out that in some special cases, an attacker uses different electronic devices for each attack. At this time, the connotation and function of the device identification and the attacking user identification are completely different. In layman's terms, the attacking user ID is related to the attacker's user attribute information. For example, the same attacker's social account information is unchanged, and the same attacker's attack methods and attack tools are fixed. Therefore, , the attacking user ID is mainly used to identify an attacker himself.

During specific implementation, the device access information and device attribute information may be used as information corresponding to the device ID one-to-one, and the user attribute information may be used as information corresponding to the attacking user ID one-to-one. Correspondingly, through the method of the present invention, not only can an electronic device be uniquely determined, but also an attacker can be uniquely determined, so that both the positioning of the electronic device and the information collection and search of the attacker can be realized.

Correspondingly, when the attacking user information corresponding to the electronic device is determined according to the analysis result, it is further inquired whether the attacking user list contains a data record matching the analysis result; if so, the data record is updated according to the analysis result. Specifically, for each data record in the attacking user list, determine whether the data record contains an information item with the same value as the information item in the analysis result; if so, determine the name and/or name of the information item with the same value or whether the quantity meets the preset matching rules, and if so, determine that the data record matches the analysis result. In this way, the information of each attacker can be stored through the attacking user list, and the attacker can be located and queried, thereby improving the security of the system.

In summary, the system provided by the present invention can lure attackers into the honeypot and expose relevant information. Each module in the system collects various information in a layer-by-layer manner, and the information can be linked and queried. The system also supports attack alerts via text messages or emails. Moreover, emergency treatment can also be achieved by locating the location of the attacker and stopping the attack. In addition, the system can also achieve source tracing and forensic analysis by viewing attack logs.

In addition, the second intrusion detection module of the system in this embodiment is introduced by taking the Windows-type high-interactivity honeypot as an example. In essence, the second intrusion detection module in the system can also be a Linux-type high-interactivity honeypot. Can. In addition, each module in the system can run on the same hardware device. Correspondingly, each module in the system can also be combined into fewer modules (for example, merged into one module), or split into more modules. The present invention does not limit the specific implementation of the system.

To sum up, it can be seen that the protection method of the virtualized environment in the present invention can be realized by the first intrusion detection module and/or the second intrusion detection module in the above system. Correspondingly, for the specific details of the protection method of the virtualized environment in the present invention, reference may be made to the description of the corresponding part in the above system.

Fig. 4 shows a schematic structural diagram of a protection device for a virtualized environment provided by another embodiment of the present invention. As shown in Fig. 4, the device includes:

The interception module 41 is adapted to intercept the access request message when monitoring the access request message for accessing the environment feature information of the virtualized environment;

A determining module 42, adapted to determine the access result data corresponding to the access request message, and determine the data type of the access result data;

The protection module 43 is adapted to query a protection policy matching the data type of the access result data, and perform protection processing on the access request message according to the queried protection policy.

Optionally, the data type of the access result data includes: a first type of data type and/or a second type of data type;

Among them, the protection strategy matching the first type of data includes: pre-setting corresponding fake result data for the access result data of the first type of data, when intercepting the access request sent for the access result data of the first type of data message, returning pseudo-result data corresponding to the access result data of the first type of data type for the access request message;

The protection strategy matching the second type of data includes: when an access request message sent for the access result data of the second type of data is intercepted, return an empty message for the access request message.

Optionally, the first type of data type includes: a type corresponding to data that exists in both a virtualized environment and a non-virtualized environment;

The second type of data type includes: a type corresponding to data available in a virtualized environment and not available in a non-virtualized environment;

Wherein, the virtualized environment includes: a virtualized environment constructed by a virtual machine, and/or a virtualized environment constructed by a sandbox.

Optionally, the interception module is further adapted to:

Predetermining an application program interface corresponding to an access request message for accessing the environment feature information of the virtualized environment, and setting a hook function for the application program interface;

Wherein, the hook function is used to monitor the access request message triggered through the API.

Optionally, the interception module is specifically adapted to:

Monitoring the access behavior sent by the electronic device invading the virtualization environment with respect to the virtualization environment, and determining the access request message for accessing the environment feature information of the virtualization environment according to the access behavior.

Optionally, the environment feature information includes at least one of the following: physical network card information, registry information, and driver information.

Wherein, the device can be realized by the first intrusion detection module and/or the second intrusion detection module in the above system.

According to one embodiment of the present invention, a non-volatile computer storage medium is provided, the computer storage medium stores at least one executable instruction, and the computer executable instruction can perform the protection of the virtualized environment in any of the above method embodiments. method.

Fig. 5 shows a schematic structural diagram of an electronic device according to an embodiment of the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the electronic device.

As shown in FIG. 5 , the electronic device may include: a processor (processor) 502 , a communication interface (Communications Interface) 504 , a memory (memory) 506 , and a communication bus 508 .

Wherein: the processor 502 , the communication interface 504 , and the memory 506 communicate with each other through the communication bus 508 .

The communication interface 504 is configured to communicate with network elements of other devices such as clients or other servers.

The processor 502 is configured to execute the program 510, specifically, may execute the relevant steps in the above performance testing method embodiments.

Specifically, the program 510 may include program codes including computer operation instructions.

The processor 502 may be a central processing unit CPU, or an ASIC (Application Specific Integrated Circuit), or one or more integrated circuits configured to implement the embodiments of the present invention. The one or more processors included in the electronic device may be of the same type, such as one or more CPUs, or may be different types of processors, such as one or more CPUs and one or more ASICs.

The memory 506 is used to store the program 510 . The memory 506 may include a high-speed RAM memory, and may also include a non-volatile memory (non-volatile memory), such as at least one disk memory.

The program 510 can specifically be used to make the processor 502 perform the following operations:

intercepting the access request message when monitoring the access request message for accessing the environment characteristic information of the virtualization environment;

determining the access result data corresponding to the access request message, and determining the data type of the access result data;

Query the protection policy that matches the data type of the access result data, and perform protection processing on the access request message according to the queried protection policy.

Wherein, the data type of the access result data includes: the first type of data type and/or the second type of data type;

Among them, the protection strategy matching the first type of data includes: pre-setting corresponding fake result data for the access result data of the first type of data, when intercepting the access request sent for the access result data of the first type of data message, returning pseudo-result data corresponding to the access result data of the first type of data type for the access request message;

The protection strategy matching the second type of data includes: when an access request message sent for the access result data of the second type of data is intercepted, return an empty message for the access request message.

Wherein, the first type of data type includes: the type corresponding to the data in both the virtualization environment and the non-virtualization environment;

The second type of data type includes: a type corresponding to data available in a virtualized environment and not available in a non-virtualized environment;

Wherein, the virtualized environment includes: a virtualized environment constructed by a virtual machine, and/or a virtualized environment constructed by a sandbox.

The program 510 may be specifically configured to cause the processor 502 to perform the following operations: predetermine an application program interface corresponding to an access request message for accessing the environment feature information of the virtualized environment, and set a hook function for the application program interface;

Wherein, the hook function is used to monitor the access request message triggered through the API.

The program 510 may be specifically configured to enable the processor 502 to perform the following operations: monitor the access behavior sent by the electronic device invading the virtualization environment for the virtualization environment, and determine the user for accessing the virtualization environment according to the access behavior. An access request message for environment characteristic information of the environment.

Wherein, the environment feature information includes at least one of the following: physical network card information, registry information, and driver information.

The algorithms and displays presented herein are not inherently related to any particular computer, virtual system, or other device. Various generic systems can also be used with the teachings based on this. The structure required to construct such a system is apparent from the above description. Furthermore, the present invention is not specific to any particular programming language. It should be understood that various programming languages can be used to implement the content of the present invention described herein, and the above description of specific languages is for disclosing the best mode of the present invention.

In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure the understanding of this description.

Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, in order to streamline this disclosure and to facilitate an understanding of one or more of the various inventive aspects, various features of the invention are sometimes grouped together in a single embodiment, figure, or its description. This method of disclosure, however, is not to be interpreted as reflecting an intention that the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the Detailed Description are hereby expressly incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment of this invention.

Those skilled in the art can understand that the modules in the device in the embodiment can be adaptively changed and arranged in one or more devices different from the embodiment. Modules or units or components in the embodiments may be combined into one module or unit or component, and furthermore may be divided into a plurality of sub-modules or sub-units or sub-assemblies. All features disclosed in this specification (including accompanying claims, abstract and drawings) and any method or method so disclosed may be used in any combination, except that at least some of such features and/or processes or units are mutually exclusive. All processes or units of equipment are combined. Each feature disclosed in this specification (including accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.

Furthermore, those skilled in the art will understand that although some embodiments herein include some features included in other embodiments but not others, combinations of features from different embodiments are meant to be within the scope of the invention. And form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.

The various component embodiments of the present invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art should understand that a microprocessor or a digital signal processor (DSP) may be used in practice to implement some or all functions of some or all components in the device according to the embodiments of the present invention. The present invention can also be implemented as an apparatus or an apparatus program (for example, a computer program and a computer program product) for performing a part or all of the methods described herein. Such a program for realizing the present invention may be stored on a computer-readable medium, or may be in the form of one or more signals. Such a signal may be downloaded from an Internet site, or provided on a carrier signal, or provided in any other form.

It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In a unit claim enumerating several means, several of these means can be embodied by one and the same item of hardware. The use of the words first, second, and third, etc. does not indicate any order. These words can be interpreted as names.

The present invention also discloses A1. A protection method for a virtualized environment, comprising:

intercepting the access request message when monitoring the access request message for accessing the environment characteristic information of the virtualization environment;

determining the access result data corresponding to the access request message, and determining the data type of the access result data;

Query the protection policy that matches the data type of the access result data, and perform protection processing on the access request message according to the queried protection policy.

A2. The method according to A1, wherein the data type of the access result data includes: a first type of data type and/or a second type of data type;

Among them, the protection strategy matching the first type of data includes: pre-setting corresponding fake result data for the access result data of the first type of data, when intercepting the access request sent for the access result data of the first type of data message, returning pseudo-result data corresponding to the access result data of the first type of data type for the access request message;

The protection strategy matching the second type of data includes: when an access request message sent for the access result data of the second type of data is intercepted, return an empty message for the access request message.

A3. The method according to A2, wherein the first type of data type includes: a type corresponding to data that exists in both a virtualized environment and a non-virtualized environment;

The second type of data type includes: a type corresponding to data available in a virtualized environment and not available in a non-virtualized environment;

Wherein, the virtualized environment includes: a virtualized environment constructed by a virtual machine, and/or a virtualized environment constructed by a sandbox.

A4. The method according to any one of A1-3, wherein, before the method is executed, further comprising steps:

Predetermining an application program interface corresponding to an access request message for accessing the environment feature information of the virtualized environment, and setting a hook function for the application program interface;

Wherein, the hook function is used to monitor the access request message triggered through the API.

A5. The method according to A4, wherein the step of predetermining the application program interface corresponding to the access request message for accessing the environment feature information of the virtualized environment specifically includes:

Monitoring the access behavior sent by the electronic device invading the virtualization environment with respect to the virtualization environment, and determining the access request message for accessing the environment feature information of the virtualization environment according to the access behavior.

A6. The method according to any one of A1-5, wherein the environment feature information includes at least one of the following: physical network card information, registry information, and driver information.

The present invention also discloses B7. A protective device for a virtualized environment, comprising:

An intercepting module, adapted to intercept the access request message when monitoring the access request message for accessing the environment characteristic information of the virtualized environment;

A determining module, adapted to determine access result data corresponding to the access request message, and determine a data type of the access result data;

The protection module is adapted to query a protection policy matching the data type of the access result data, and perform protection processing on the access request message according to the queried protection policy.

B8. The device according to B7, wherein the data type of the access result data includes: a first type of data type and/or a second type of data type;

Among them, the protection strategy matching the first type of data includes: pre-setting corresponding fake result data for the access result data of the first type of data, when intercepting the access request sent for the access result data of the first type of data message, returning pseudo-result data corresponding to the access result data of the first type of data type for the access request message;

The protection strategy matching the second type of data includes: when an access request message sent for the access result data of the second type of data is intercepted, return an empty message for the access request message.

B9. The device according to B8, wherein the first type of data type includes: a type corresponding to data that exists in both a virtualized environment and a non-virtualized environment;

The second type of data type includes: a type corresponding to data available in a virtualized environment and not available in a non-virtualized environment;

Wherein, the virtualized environment includes: a virtualized environment constructed by a virtual machine, and/or a virtualized environment constructed by a sandbox.

B10. The device according to any one of B7-9, wherein the interception module is further adapted to:

Predetermining an application program interface corresponding to an access request message for accessing the environment feature information of the virtualized environment, and setting a hook function for the application program interface;

Wherein, the hook function is used to monitor the access request message triggered through the API.

B11. The device according to B10, wherein the interception module is specifically adapted to:

Monitoring the access behavior sent by the electronic device invading the virtualization environment with respect to the virtualization environment, and determining the access request message for accessing the environment feature information of the virtualization environment according to the access behavior.

B12. The device according to any one of B7-11, wherein the environment characteristic information includes at least one of the following: physical network card information, registry information, and driver information.

Claims (10)

1. A protection method for a virtualized environment, comprising: intercepting the access request message when monitoring the access request message for accessing the environment characteristic information of the virtualization environment; determining the access result data corresponding to the access request message, and determining the data type of the access result data; Query the protection policy that matches the data type of the access result data, and perform protection processing on the access request message according to the queried protection policy. 2. The method according to claim 1, wherein the data type of the access result data comprises: a first type of data type and/or a second type of data type; Among them, the protection strategy matching the first type of data includes: pre-setting corresponding fake result data for the access result data of the first type of data, when intercepting the access request sent for the access result data of the first type of data message, returning pseudo-result data corresponding to the access result data of the first type of data type for the access request message; The protection strategy matching the second type of data includes: when an access request message sent for the access result data of the second type of data is intercepted, return an empty message for the access request message. 3. The method according to claim 2, wherein the first type of data type includes: a type corresponding to data that exists in both a virtualized environment and a non-virtualized environment; The second type of data type includes: a type corresponding to data available in a virtualized environment and not available in a non-virtualized environment; Wherein, the virtualized environment includes: a virtualized environment constructed by a virtual machine, and/or a virtualized environment constructed by a sandbox. 4. The method according to any one of claims 1-3, wherein, before the method is executed, further comprising the steps of: Predetermining an application program interface corresponding to an access request message for accessing the environment feature information of the virtualized environment, and setting a hook function for the application program interface; Wherein, the hook function is used to monitor the access request message triggered through the API. 5. The method according to claim 4, wherein the step of predetermining the application program interface corresponding to the access request message for accessing the environment characteristic information of the virtualized environment specifically comprises: Monitoring the access behavior sent by the electronic device invading the virtualization environment with respect to the virtualization environment, and determining the access request message for accessing the environment feature information of the virtualization environment according to the access behavior. 6. The method according to any one of claims 1-5, wherein the environment feature information includes at least one of the following: physical network card information, registry information, and driver information. 7. A protective device for a virtualized environment, comprising: An intercepting module, adapted to intercept the access request message when monitoring the access request message for accessing the environment characteristic information of the virtualized environment; A determining module, adapted to determine access result data corresponding to the access request message, and determine a data type of the access result data; The protection module is adapted to query a protection policy matching the data type of the access result data, and perform protection processing on the access request message according to the queried protection policy. 8. The device according to claim 7, wherein the data type of the access result data comprises: a first type of data type and/or a second type of data type; Among them, the protection strategy matching the first type of data includes: pre-setting corresponding fake result data for the access result data of the first type of data, when intercepting the access request sent for the access result data of the first type of data message, returning pseudo-result data corresponding to the access result data of the first type of data type for the access request message; The protection strategy matching the second type of data includes: when an access request message sent for the access result data of the second type of data is intercepted, return an empty message for the access request message. 9. An electronic device, comprising: a processor, a memory, a communication interface, and a communication bus, wherein the processor, the memory, and the communication interface complete mutual communication through the communication bus; The memory is used to store at least one executable instruction, and the executable instruction causes the processor to execute the operation corresponding to the method for protecting a virtualized environment according to any one of claims 1-6. 10. A computer storage medium, wherein at least one executable instruction is stored in the storage medium, and the executable instruction causes a processor to execute the corresponding protection method for a virtualized environment according to any one of claims 1-6. operation.